A method for ensuring that verification results about models apply to cyber-physical systems (CPS) implementations is presented. The invention provides correctness guarantees for CPS executions at runtime. Offline verification of CPS models are combined with runtime validation of system executions for compliance with the model. The invention ensures that the verification results obtained for the model apply to the actual system runs by monitoring the behavior of the world for compliance with the model, assuming the system dynamics deviation is bounded. If, at some point, the observed behavior no longer complies with the model, such that offline verification results no longer apply, provably safe fallback actions are initiated. The invention includes a systematic technique to synthesize provably correct monitors automatically from CPS proofs in differential dynamic logic.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method for synthesizing a monitor for a cyber-physical system (CPS) from a verified model of the CPS, the verified model expressed as a set of mathematical formulas, comprising the steps of: deriving a monitor specification from the verified model, the monitor specification comprising a set of specification conjectures, each specification conjecture derived from one of the set of mathematical formulas by verified transformation such that each specification conjecture is satisfied over states of the CPS only if the states are compatible with behavior of the verified model; applying a theorem prover to each specification conjecture to derive one or more monitor conditions expressed as first-order logic by performing logical transformations that successively simplify formulas into structurally simpler formulas expressing effects of the verified model behavior; synthesizing the monitor by syntactic transformation or compilation of the monitor conditions to executable code that verifies the monitor conditions; and verifying the behavior of the CPS by executing the monitor to determine that the CPS meets the set of monitor conditions indicating compliance with the verified model; wherein the CPS includes a controller running control software, the controller reading sensors and controlling actuators, and wherein the monitor verifies the actions of the controller and resulting changes in a state of the CPS.
2. The method of claim 1 further comprising the step of executing the monitor in conjunction with the control software, to guarantee compliance of the CPS with the verified model.
3. The method of claim 1 where the monitor consists of a model monitor, a controller monitor and a prediction monitor.
4. The method of claim 3 wherein the model monitor compares a current state of the CPS with a previous state of he CPS and determines if any differences between the current state and the previous state are in compliance with the verified model.
5. The method of claim 3 wherein the controller monitor monitors the controller to check compliance with the verified model.
6. The method of claim 3 wherein the prediction monitor allows deviations of the cyber-physical system from the verified model to account for real-world imperfections.
7. The method of claim 4 wherein the model monitor, the controller monitor and the prediction monitor read the sensors to determine the current state of the CPS.
8. The method of claim 7 wherein the model monitor runs prior to the control software and determines if physical behavior which occurred between the previous state and the current state is in compliance with the verified model.
9. The method of claim 8 wherein the model monitor will raise an error if any differences between the current state and the previous state are not in compliance with the verified model.
10. The method of claim 5 wherein the controller monitor runs after the control software and determines if physical actions to be taken by the controller will result in the CPS being in compliance with the verified model.
11. The method of claim 10 wherein the controller monitor will raise an error if the physical actions will result in the CPS not being in compliance with the verified model.
12. The method of claim 6 wherein the prediction monitor runs after the control software and determines if physical actions to be taken by the controller will result in the CPS being in compliance with the verified model in the presence of bounded deviations between the CPS and the verified model.
13. The method of claim 12 wherein the prediction monitor will raise an error if the physical actions to be taken by the controller will result in the CPS not being in compliance with the verified model.
15. The method of claim 8 wherein compliance with the model monitor guarantees that properties of the verified model are present in the CPS before the control software is executed.
16. The method of claim 10 wherein compliance with the controller monitor guarantees that properties of the verified model are present in the CPS after the control software is executed.
17. The method of claim 12 wherein compliance with the prediction monitor guarantees that properties of the verified model will still be present in future states of the CPS.
18. The method of claim 1 wherein the method is automated in accordance with an algorithm.
19. The method of claim 1 wherein the mathematical formulas are differential dynamic logic formulas.
20. The method of claim 3 , wherein the prediction monitor predicts a next state of the CPS based on the actions to be taken by the controller and initiates failsafe actions if the next state of the CPS deviates from the verified model.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 10, 2014
December 22, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.